SSIZE_T Object::objectKey( const BYTE *data, SIZE_T len, ObjectKeyType &key ) {
SSIZE_T off=0;
// Object key len
BYTE objectKeyLen = RB(data,off);
if (objectKeyLen > 4) {
throw std::bad_cast();
}
assert(len >= SIZE_T(1+objectKeyLen));
// Object key
key = RDW( data, off );
//printf( "[dsmcc::Object] Parsing object key: len=%08lx, key=%08lx\n", len, key );
return off;
}
void scan_init()
{
register char *p ;
(void) memset(scan_code, SC_UNEXPECTED, SIZE_T(sizeof(scan_code))) ;
for( p = scan_code + '0' ; p <= scan_code + '9' ; p++ )
*p = SC_DIGIT ;
scan_code[0] = 0 ;
scan_code[ ' ' ] = scan_code['\t'] = scan_code['\f'] = SC_SPACE ;
scan_code[ '\r'] = scan_code['\013'] = SC_SPACE ;
scan_code[';'] = SC_SEMI_COLON ;
scan_code['\n'] = SC_NL ;
scan_code['{'] = SC_LBRACE ;
scan_code[ '}'] = SC_RBRACE ;
scan_code['+'] = SC_PLUS ;
scan_code['-'] = SC_MINUS ;
scan_code['*'] = SC_MUL ;
scan_code['/'] = SC_DIV ;
scan_code['%'] = SC_MOD ;
scan_code['^'] = SC_POW ;
scan_code['('] = SC_LPAREN ;
scan_code[')'] = SC_RPAREN ;
scan_code['_'] = SC_IDCHAR ;
scan_code['='] = SC_EQUAL ;
scan_code['#'] = SC_COMMENT ;
scan_code['\"'] = SC_DQUOTE ;
scan_code[','] = SC_COMMA ;
scan_code['!'] = SC_NOT ;
scan_code['<'] = SC_LT ;
scan_code['>'] = SC_GT ;
scan_code['|'] = SC_OR ;
scan_code['&'] = SC_AND ;
scan_code['?'] = SC_QMARK ;
scan_code[':'] = SC_COLON ;
scan_code['['] = SC_LBOX ;
scan_code[']'] = SC_RBOX ;
scan_code['\\'] = SC_ESCAPE ;
scan_code['.'] = SC_DOT ;
scan_code['~'] = SC_MATCH ;
scan_code['$'] = SC_DOLLAR ;
for( p = scan_code + 'A' ; p <= scan_code + 'Z' ; p++ )
*p = *(p + 'a' - 'A') = SC_IDCHAR ;
}
bool sections_virtual_to_raw(BYTE* payload, SIZE_T payload_size, OUT BYTE* destAddress, OUT SIZE_T *raw_size_ptr)
{
if (payload == NULL) return false;
bool is64b = is64bit(payload);
BYTE* payload_nt_hdr = get_nt_hrds(payload);
if (payload_nt_hdr == NULL) {
printf("Invalid payload: %p\n", payload);
return false;
}
IMAGE_FILE_HEADER *fileHdr = NULL;
DWORD hdrsSize = 0;
LPVOID secptr = NULL;
if (is64b) {
IMAGE_NT_HEADERS64* payload_nt_hdr64 = (IMAGE_NT_HEADERS64*) payload_nt_hdr;
fileHdr = &(payload_nt_hdr64->FileHeader);
hdrsSize = payload_nt_hdr64->OptionalHeader.SizeOfHeaders;
secptr = (LPVOID)((ULONGLONG)&(payload_nt_hdr64->OptionalHeader) + fileHdr->SizeOfOptionalHeader);
} else {
IMAGE_NT_HEADERS32* payload_nt_hdr32 = (IMAGE_NT_HEADERS32*) payload_nt_hdr;
fileHdr = &(payload_nt_hdr32->FileHeader);
hdrsSize = payload_nt_hdr32->OptionalHeader.SizeOfHeaders;
secptr = (LPVOID)((ULONGLONG)&(payload_nt_hdr32->OptionalHeader) + fileHdr->SizeOfOptionalHeader);
}
if (!validate_ptr(payload, payload_size, payload, hdrsSize)) {
return false;
}
//copy payload's headers:
memcpy(destAddress, payload, hdrsSize);
//copy all the sections, one by one:
printf("Coping sections:\n");
SIZE_T raw_end = 0;
for (WORD i = 0; i < fileHdr->NumberOfSections; i++) {
PIMAGE_SECTION_HEADER next_sec = (PIMAGE_SECTION_HEADER)((ULONGLONG)secptr + (IMAGE_SIZEOF_SECTION_HEADER * i));
if (!validate_ptr(payload, payload_size, next_sec, IMAGE_SIZEOF_SECTION_HEADER)) {
return false;
}
LPVOID section_mapped = (BYTE*) payload + next_sec->VirtualAddress;
LPVOID section_raw_ptr = destAddress + next_sec->PointerToRawData;
SIZE_T sec_size = next_sec->SizeOfRawData;
raw_end = next_sec->SizeOfRawData + next_sec->PointerToRawData;
if (next_sec->VirtualAddress + sec_size >= payload_size) {
printf("[!] Virtual section size is out ouf bounds: %lx\n", sec_size);
sec_size = SIZE_T(payload_size - next_sec->VirtualAddress);
printf("[!] Truncated to maximal size: %lx\n", sec_size);
}
if (next_sec->VirtualAddress >= payload_size && sec_size != 0) {
printf("[-] VirtualAddress of section is out ouf bounds: %lx\n", static_cast<SIZE_T>(next_sec->VirtualAddress));
return false;
}
if (next_sec->PointerToRawData + sec_size >= payload_size) {
printf("[-] Raw section size is out ouf bounds: %lx\n", sec_size);
return false;
}
printf("[+] %s to: %p\n", next_sec->Name, section_raw_ptr);
memcpy(section_raw_ptr, section_mapped, sec_size);
}
if (raw_end > payload_size) raw_end = payload_size;
if (raw_size_ptr != NULL) {
(*raw_size_ptr) = raw_end;
}
return true;
}
